Hi, We have installed today your software via winget (winget install Inkscape.Inkscape) and our antivirus software showed some Indicators of Compromise corresponding to some files that were extracted from .msi during installation.
#PS C:\Users\MikolajMichnowicz> winget show Inkscape.Inkscape Found Inkscape [Inkscape.Inkscape] Version: 1.3.2 Publisher: Inkscape Publisher Url: https://inkscape.org Publisher Support Url: https://inkscape.org/support-us Moniker: inkscape Description: Inkscape is a free and open-source vector graphics editor used to create vector images, primarily in Scalable Vector Graphics (SVG) format. Other formats can be imported and exported. Homepage: https://inkscape.org License: GPLv2 License Url: https://inkscape.org/about/license Privacy Url: https://inkscape.org/about/privacy Tags: art drawing editor foss graphics icons svg vector-graphics Installer: Installer Type: wix Installer Locale: en-US Installer Url: https://media.inkscape.org/dl/resources/file/inkscape-1.3.2_2023-11-25_091e2... Installer SHA256: 214263cb23d241134af0a22144c54ff1a1c0993d3a1c9ea7d76710f985a145df
Files detected related to installation: 1. HelloXD Ransomware Detected An artifact with an extension associated with the HelloXD ransomware was seen. Hello XD is a ransomware targeting Windows and Linux systems which disables shadow copies and encrypts user's files. It is known to drop an open source backdoor called MicroBackdoor on the victim's machine to exfiltrate files, execute commands and delete itself from the host.
Categories ransomware Tags ransomware, malware, file, UA_2022 Artifact ID SHA256 Path 9502 913357103891825ab4b7aec76dc7c8185fa7860ed798b8d4d60b9cb97ccf6da9 CM_FP_inkscape.lib.tk8.6.demos.hello
2. Cuba Ransomware Artifact Detected An artifact known to be associated with the Cuba ransomware was seen being created or modified on the system. The Cuba ransomware has been targeting organizations in various fields, such as financial institutions, technology, logistics, etc. The malicious actors behind it recently decided to start leaking the stolen data, similar to what happened to other ransomware campaigns. Once a victim's network has been breached, the attackers deploy PowerShell scripts to move laterally and execute the next stages.
Categories ransomware Tags ransomware, encryption, persistence, artifact Artifact ID SHA256 Path 9240 2f9dfe275b62efbcd5f72d6a13c6bb9afd2f67fddd8843013d128d55373cd677 CM_FP_inkscape.lib.tcl8.6.tzdata.Cuba
It of cource could be a false positive, netherless please check it out, maybe someone compromised some elements somewhere and put those in.
Dear Mikolaj Michnowicz,
I'm not sure I know anything about winget, I don't think that's an Inkscape operated or approved of method for getting Inkscape.
If the sha for the msi matches the one on the website (inkscape.org) then you can be sure it contains no ransomware. But be careful.
It's a bit of a cheek for the antivirus to say it infects Linux when it's an msi file, but I guess it's a standard bog roll text.
Come to the dev chat at chat.inkscape.org if you'd like to talk to the msi builder.
Best Regards, Martin Owens
On Sun, 11 Feb 2024 at 14:56, Anonymous User mikolaj.michnowicz@mcomm.eu wrote:
Hi, We have installed today your software via winget (winget install Inkscape.Inkscape) and our antivirus software showed some Indicators of Compromise corresponding to some files that were extracted from .msi during installation.
#PS C:\Users\MikolajMichnowicz> winget show Inkscape.Inkscape Found Inkscape [Inkscape.Inkscape] Version: 1.3.2 Publisher: Inkscape Publisher Url: https://inkscape.org Publisher Support Url: https://inkscape.org/support-us Moniker: inkscape Description: Inkscape is a free and open-source vector graphics editor used to create vector images, primarily in Scalable Vector Graphics (SVG) format. Other formats can be imported and exported. Homepage: https://inkscape.org License: GPLv2 License Url: https://inkscape.org/about/license Privacy Url: https://inkscape.org/about/privacy Tags: art drawing editor foss graphics icons svg vector-graphics Installer: Installer Type: wix Installer Locale: en-US Installer Url: https://media.inkscape.org/dl/resources/file/inkscape-1.3.2_2023-11-25_091e2... Installer SHA256: 214263cb23d241134af0a22144c54ff1a1c0993d3a1c9ea7d76710f985a145df
Files detected related to installation:
- HelloXD Ransomware Detected
An artifact with an extension associated with the HelloXD ransomware was seen. Hello XD is a ransomware targeting Windows and Linux systems which disables shadow copies and encrypts user's files. It is known to drop an open source backdoor called MicroBackdoor on the victim's machine to exfiltrate files, execute commands and delete itself from the host.
Categories ransomware Tags ransomware, malware, file, UA_2022 Artifact ID SHA256 Path 9502 913357103891825ab4b7aec76dc7c8185fa7860ed798b8d4d60b9cb97ccf6da9 CM_FP_inkscape.lib.tk8.6.demos.hello
- Cuba Ransomware Artifact Detected
An artifact known to be associated with the Cuba ransomware was seen being created or modified on the system. The Cuba ransomware has been targeting organizations in various fields, such as financial institutions, technology, logistics, etc. The malicious actors behind it recently decided to start leaking the stolen data, similar to what happened to other ransomware campaigns. Once a victim's network has been breached, the attackers deploy PowerShell scripts to move laterally and execute the next stages.
Categories ransomware Tags ransomware, encryption, persistence, artifact Artifact ID SHA256 Path 9240 2f9dfe275b62efbcd5f72d6a13c6bb9afd2f67fddd8843013d128d55373cd677 CM_FP_inkscape.lib.tcl8.6.tzdata.Cuba
It of cource could be a false positive, netherless please check it out, maybe someone compromised some elements somewhere and put those in. _______________________________________________ Webmaster mailing list -- webmaster@lists.inkscape.org To unsubscribe send an email to webmaster-leave@lists.inkscape.org
participants (2)
-
Anonymous User -
Martin Owens